Using Guardian Library for Authentication btwn Web API and Mobile App

Hello all, I was recommended by the friendly members of the Elixir Slack not to use JWT for authentication as it’s recently been advised against by most people in the security community.

See here: Stop using JWT for sessions

  1. With respect to using the Guardian library (, I’m confused if the issues is JSON Web Tokens itself or if OAuth2 is the security issue. Does using Phoenix tokens or another token format instead of JWT with the Guardian library solve the security issue?

  2. What is the recommended alternative to JWT?

  3. Is it possible to do server side session authentication with a mobile app?

Note: I am building a Phoenix Web App and API with a companion native mobile app built in Flutter. Stuck on how to authenticate from the mobile app and make requests to the API.

1 Like

Hello all, I have decided to pursue use server side sessions and cookie for authentication with the mobile app. Honestly, I didn’t even know this was an option until consulting with a friend. This seems much simpler to me. I can just use the new phx.gen.auth library and with my Flutter app I can use HTTP requests and a cookie manager library. Hope this helps anyone who is doing something similar.

1 Like